Subject: sendmail-8.17.1 DANE-function unresponsive, sendmail-8.16.0.41 OK

talo · 09-14-2021, 03:06 AM

I have compared two versions of sendmail in regard to outgoing DANE protocol.
sendmail-8.16.0.41 setup according to "https://www.five-ten-sg.com/mapper/blog/dane"
Due to a few limitations only outcoing DANE applies, but newer sendmail versions (8.17.1) fail.
The 8.16.0.41 CASE Slackware 14.2 (pimped up a bit)
with: -O DANE=always see https://www.five-ten-sg.com/mapper/blog/dane

Quote:

Sep 7 11:38:48 metanoia sm-mta[7974]: STARTTLS=server, relay=xxxx.nl [82.139.77.123], version=TLSv1.3, verify=NO, cipher=TLS_AES_128_GCM_SHA256, bits=128/128
Sep 7 11:38:48 metanoia sm-mta[7974]: AUTH=server, relay=xxxx.nl [82.139.77.123], authid=yyyy, mech=PLAIN, bits=0
Sep 7 11:38:48 metanoia sm-mta[7974]: 1879ckBM007974: from=<yyyy@xxxx.nl>, size=2164, class=0, nrcpts=1, msgid=<9cf014bc-f893-a6c7-65c8-fa0dfeb60639@xxxx.nl>, bodytype=8BITMIME, proto=ESMTPSA, daemon=MSA, relay=yyyy.nl [82.139.77.123]
Sep 7 11:38:55 metanoia sm-mta[7977]: STARTTLS=tlsa found 3 0 1 for mx.soverin.net, len 32 48:96:62:EB:C5:B4:69:2B:01:84:F2:0B:0A:21:6C:64

1:90:56:1D:17:EF:9D:02:6E:4B:63:1E:E9:F4:6B:2B
Sep 7 11:38:55 metanoia sm-mta[7977]: STARTTLS=tlsa found 3 0 1 for mx.soverin.net, len 32 14:A1:23:0A:73:53:BA:13:00:E9:17:EA:3A:42:13:EF:E0:22:19:1D:ED:0C:30:41:79:67

A:AD:E7:38:03:5E
Sep 7 11:38:55 metanoia sm-mta[7977]: STARTTLS: dane cert verify: ok=1, depth=0 /CN=*.soverin.net, reason=0 ok
Sep 7 11:38:55 metanoia sm-mta[7977]: STARTTLS=client, relay=mx.soverin.net., version=TLSv1.3, verify=TRUSTED, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Sep 7 11:38:56 metanoia sm-mta[7977]: 1879ckBM007974: to=<xxxx@freedom.nl>, ctladdr=<yyyy@xxxx.nl> (1000/100), delay=00:00:08, xdelay=00:00:08, mailer=esmtp, pri=122164, relay=mx.soverin.net. [IPv6:2a01:4f8:fff0:2d:8:0:0:140], dsn=2.
0.0, stat=Sent (Ok: queued as B3CB08E)

The above version handles all DANE types (not only 3 0 1), see also "https://www.talo.nl/talo/download/slackware/14.2/" (packages/sources)

The 8.17.1 CASE (Slackware 14.2 (pimped up a bit)
one test with: "O DANE=true" and with "O DANE" only
(sendmail/doc/op/op.ps defines "O DANE=true")
with -O DANE (with or without true)

Quote:

Sep 8 21:03:33 metanoia sm-mta[5768]: STARTTLS=server, relay=xxxx.nl [82.139.77.123], version=TLSv1.3, verify=NO, cipher=TLS_AES_128_GCM_SHA256, bits=128/128
Sep 8 21:03:33 metanoia sm-mta[5768]: AUTH=server, relay=xxxx.nl [82.139.77.123], authid=jaapw, mech=PLAIN, bits=0
Sep 8 21:03:33 metanoia sm-mta[5768]: 188J3V6U005768: from=<yyyy@xxxx.nl>, size=1014, class=0, nrcpts=1, msgid=<b4c55faa-bc55-97b8-b320-ca9293dcd097@xxxx.nl>, bodytype=8BITMIME, proto=ESMTPSA, daemon=MSA, relay=xxxx.nl [82.139.77.123]
Sep 8 21:03:39 metanoia sm-mta[5770]: STARTTLS=client, relay=mx.soverin.net., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Sep 8 21:03:40 metanoia sm-mta[5770]: 188J3V6U005768: to=<xxxx@freedom.nl>, ctladdr=<jaapw@talo.nl> (1000/100), delay=00:00:07, xdelay=00:00:07, mailer=esmtp, pri=121014, relay=mx.soverin.net. [IPv6:2a01:4f8:fff0:2d:8:0:0:140], dsn=2.0.0, stat=Sent (Ok: queued as 2A5EB92)

The 8.17.1 version only handles 3 0 1 (actually 3 0 X), but verify is NOT TRUSTED by DANE at all.

Do I miss libraries? or is something else wrong?

talo